Channels

Services

Microsoft now disclosing third party vulnerabilities

Microsoft's vulnerability disclosure program has been expanded to include releasing security vulnerabilities in third party Windows software. The first bulletins released by Microsoft covered an information disclosure flaw common to Google Chrome's and Opera's HTML5 implementation (MSVR11-002) and a use-after-free vulnerability in Chrome (MSVR11-001). Both flaws were fixed several months ago. Both reports appear to have been held back while Microsoft prepared to publish its new policy on vulnerability disclosure.

That new policy, "Coordinated Vulnerability Disclosure at Microsoft", is written up as a nine page document(Docx file) and covers how Microsoft practise revealing flaws in its own and other companies' software, how it will inform other vendors of flaws, including the level of detail in the report, and when it will go public with an MSVR report. In the latter case, Microsoft reserves the right to publish earlier when, prior to a vendor releasing a fix, the technical details of the vulnerability are publicly known or there is evidence of exploitation of the unpatched vulnerability, or if the vendor fails to respond.